Techniques for establishing virtual devices

ABSTRACT

Techniques for establishing virtual devices are presented. A legacy control system is encapsulated as a virtual device. The virtual device is isolated within a host hardware associate with a host OS and access to and from the virtual device is authenticated and controlled by the host OS. Legacy hardware used by the legacy control system is connected to the host hardware, thereby permitting the legacy control system to continue to access the legacy hardware when the virtual device processes.

RELATED APPLICATIONS

The present application is co-pending with, is a Continuation of, andclaims priority to U.S. patent application Ser. No. 12/271,247,entitled: “Techniques for Establishing Virtual Devices,” filed on Nov.14, 2008 and which presently stands allowed and the disclosure of whichis incorporated by reference herein in its entirety.

BACKGROUND

Many industries have long implemented their core business processes insoftware systems. For example, process oriented industries such aschemical plants and power plants are known to keep their core processesin software systems for many years. Also, sometimes it is hard to stopthe process control metrics and measurement methodologies within anenterprise. These plants are initially setup for years of operation butthe control or software systems, which utilize hardware like personalcomputers connecting to the systems through General Purpose InterfaceBuses, Analogue-to-Digital convertors or other logical circuits have tobe designed with a particular computer Operating System (OS) in mind.

However, software and hardware becomes outdated faster than the controlor software systems of an enterprise. Moreover, old software may not bedesigned to handle new and more frequent security threats thatinformation systems are constantly exposed to in today's highlynetworked environment. Additionally, support for older versions of OS'smay be discontinued by an OS vendor. So, with these modern realities anymodern enterprise that continues to run legacy control or softwaresystems is treading on dangerously thin ice, which can be fatal to theenterprise depending upon the nature of the industry.

Consequently, enterprises may expend huge sums of capital and largeamounts of human resources to continue to support outdated hardware andOS's because to do otherwise could put the entire enterprise injeopardy. The alternative is to undergo a large internal infrastructureproject to port the control or software systems to modern hardware andmodern versions of an OS. Yet, with the alternative approach theenterprise can find itself in a perpetual cycle where as soon as oneport ends another one has to begin because what was considered modernhas since become outdated. It is apparent that many industries are facedwith difficult choices and large expenditures to continue their existingoperations and practices. These expenses are often passed onto theconsumer such that eventually a smaller more nimble startup company canenter the market at a lower price point with a more modern internalinfrastructure for its control and software systems; this puts extremeand sometimes insurmountable pressure on the enterprise from acompetitive standpoint.

Thus, what are needed are techniques, which allow for improved support,integration, and security of legacy control or software systems to allowenterprises to be more competitive in today's environment.

SUMMARY

In various embodiments, techniques for establishing virtual devices arepresented. More specifically, and in an embodiment, a method is providedthat establishes a virtual device to isolate and migrate a legacycontrol or software system in a different OS and machine architecturefrom its native OS and native machine architecture.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a method is provided that establishes a virtualdevice to isolate and migrate a legacy control or software system in adifferent OS and machine architecture from its native OS and nativemachine architecture, according to an example embodiment.

FIG. 2 is a diagram of another method that establishes a virtual deviceto isolate and to migrate a legacy control or software system in adifferent OS and machine architecture from its native OS and nativemachine architecture, according to an example embodiment.

FIG. 3 is a diagram of a virtual device establishment system, accordingto an example embodiment.

FIG. 4 is a diagram of another virtual device establishment system,according to an example embodiment.

DETAILED DESCRIPTION

As used herein a “virtual device” refers to a virtual machine (VM) thatprocesses its own version of a particular OS and mimics a particularmachine architecture on another and entirely different machinearchitecture. The VM is a logical machine that is independent of itsphysical process environment or physical machine. Again, the VM includesits own OS, its own file system (FS), its own directory services, etc.,which may each be different from the physical processing environment ofthe host machine. As used herein virtual device and VM maybe usedinterchangeably.

A “legacy control system” refers to a processing environment and suiteof software services that was originally designed to process on one ormore particular machine architectures and one or more particular OS's orversions of a particular OS. These machine architectures, OS's, andversions of a particular OS are referred to herein as “native” machinearchitectures, OS's and versions of a particular OS; native with respectto the legacy system. The legacy control system also relies at least inpart on access to legacy hardware or legacy devices associated with itsnative machine architectures.

According to an embodiment, the techniques presented herein areimplemented in products associated and distributed by Novell®, Inc. ofProvo, Utah.

Of course, the embodiments of the invention can be implemented in avariety of architectural platforms, operating and server systems,devices, systems, or applications. Any particular architectural layoutor implementation presented herein is provided for purposes ofillustration and comprehension only and is not intended to limit variousaspects of the invention.

It is within this initial context, that various embodiments of theinvention are now presented with reference to the FIGS. 1-4.

FIG. 1 is a diagram of a method 100 is provided that establishes avirtual device to isolate and migrate a legacy control or softwaresystem in a different OS and machine architecture from its native OS andnative machine architecture, according to an example embodiment. Themethod 100 (hereinafter “virtual device establishment service”) isimplemented as instructions in a machine-accessible and readable medium.The instructions when executed by a machine (processing device,computer, etc.) perform the processing depicted in FIG. 1. The virtualdevice establishment service is also operational over and processeswithin a network. The network may be wired, wireless, or a combinationof wired and wireless.

At 110, the virtual device establishment service creates a virtual imageof a legacy processing environment associated with a first or native OS.The virtual image includes a legacy control system that relies on: thelegacy processing environment; the first, native or legacy OS; andaccess to legacy or native hardware. Any physical to virtual applicationor service can be used to create the virtual image, such applications orservices are available for purposes of backing up hardware and softwaresystems.

At 120, the virtual device establishment service connects nativehardware that the legacy control system accesses during its operation tohost hardware that also processes a second OS.

At 130, the virtual device establishment service installs the virtualimage in the host hardware, such that the first or legacy OS of thevirtual image is designated as a guest OS on the host hardware. Thesecond OS is designated as a host or controlling OS for the hosthardware.

At 140, the virtual device establishment service establishes a securetrust communication relationship between the guest OS and the host OS.That is, the host OS and the guest OS authenticate to one another duringstartup and initialization and perhaps periodically or even during eachcommunication between the two. Any technique of combinations oftechniques can be used to establish this secure trust relationship.

According to an embodiment, at 141, the virtual device establishmentservice permits the legacy control system, via the guest OS, to directlyaccess the native or legacy hardware. This is permitted once the securetrust communication relationship has been established and the guest OSauthenticated. The legacy control system may access a variety of legacyor native hardware that may be outdated or not supported by the hosthardware and the host OS; thus, by connecting the native hardware to thehost hardware and installing the guest OS with the legacy controlsystem, the legacy control system can still access this legacy hardware.This hardware can include a variety of things, such as mechanicaldevices uses in an enterprise that have processor-enabled capabilities,outdated computers, old storage devices, etc. The legacy control systemcan continue to use its old device interfaces to directly access thedevices associated with the legacy hardware. Thus, the legacy controlsystem is essentially encapsulated by the virtual device establishmentservice within host hardware, which has a modern and updated host OS;and yet, the legacy control system can continue to process unabatedusing old device drivers to access that legacy hardware even while thelegacy control system essentially processes on the host hardware.

At 150, the virtual device establishment service exposes (via anapplication associated with either a service installed within thevirtual image when it was created or associated with the legacy controlsystem) the native hardware for access and perhaps monitoring by thehost OS. Thus, the host OS can gain access to the native hardware. Thiscan be achieved in a number of ways.

For example, at 151, the virtual device establishment service identifiesthe application as a generic device driver that exposes each deviceassociated with the native hardware to the host OS as a particulardevice driver that is accessible to the host OS.

In another case, at 152, the virtual device establishment serviceidentifies the application as a Remote Procedure Call (RPC), whichpermits the host OS to establish a remote connection. The remoteconnection exposes device drivers for devices of the native hardwareback to the host OS. This can be done via software on the guest OS thatexposes the device drivers for the native hardware devices as user levelapplication objects. The host OS communicates with the guest OS througha user mode of operation.

In yet another situation, at 153, the virtual device establishmentservice identifies the application as an application connection layerthat is provided for the native hardware and that includes anApplication Programming Interface (API) for the host to connect to thedevices of the native hardware. This API can be supplied by the hardwarevendor or other vendors with an interest in providing such an API. TheAPI permits the host OS to connect to outdated or unsupported devicesassociated with the legacy or native hardware.

At 160, the virtual device establishment service executes the legacycontrol system via the guest OS within or on the host hardware. So, asstated before, the legacy control system is essentially encapsulated asa virtual device or virtual machine (VM) on the host hardware andinstalled and executed on the host hardware as a guest OS that iscommunicated with and controlled by a host OS. The legacy control systemcan still access its needed legacy hardware and its associated devices.

According to an embodiment, at 161, the virtual device establishmentservice receives input data for the legacy control system via otherapplications that process within the host OS on the host hardware. Theseother applications can be used to verify the security of and validity ofany input data before it is passed on to the legacy control system viathe host OS to the guest OS. So, essentially a legacy control system canbenefit from more updated security mechanisms because the applicationsare running on an updated host OS. The legacy control system thenbenefits and is made more secure because input data is processed andvalidated before that data ever reaches the guest OS and the legacycontrol system. The applications can also be used to enhance features ofthe legacy control system. The enhancement are embodied on a more modernhost OS, such that enhancements to the legacy control system does nothave to continue to occur via outdated technology.

In still another case, at 162, the virtual device establishment serviceis used to isolate the guest OS and its native hardware so that neithercan connect to external networks or external resources. This is done toensure that all input provided and output produced from the legacycontrol system are self-contained within the confines of the guest OS orfirst-filtered through the host OS that can enforce modern securitymechanisms against any attempted external accesses. The legacy controlsystem, via the guest OS, is walled off from the outside world much likea firewall does an Intranet and yet as discussed above the legacycontrol system can still be enhanced via applications that are developedon modern architectures and can be interfaced to via security mechanismsassociated with those modern architectures.

FIG. 2 is a diagram of another method 200 that establishes a virtualdevice to isolate and migrate a legacy control or software system in adifferent OS and machine architecture from its native OS and nativemachine architecture, according to an example embodiment. The method 200(herein after referred to as “legacy system encapsulation service”) isimplemented in a machine-accessible and readable medium as instructions,which when accessed by a machine performs the processing depicted in theFIG. 2. The legacy system encapsulation service is also operational overa network; the network may be wired, wireless, or a combination of wiredand wireless.

The legacy system encapsulation service represents another and in somecases an enhanced perspective to the virtual device establishmentservice represented by the method 100 of the FIG. 1.

At 210, the legacy system encapsulation service encapsulates a legacycontrol system and its native or legacy OS as a virtual device.

One technique for doing this was discussed above with reference to themethod 100 of the FIG. 1. Specifically, at 211, the legacy systemencapsulation service creates a virtual image for the legacy controlsystem that includes the native processing environment of the legacycontrol system, the native OS, and the legacy control system. When thevirtual image is installed on the host hardware of a host OS, thevirtual image represents the virtual device or a virtual machine (VM).

At 220, the legacy system encapsulation service authenticates thevirtual device before that virtual device is permitted to install andexecute on host hardware. It is again noted that the host hardwareincludes more updated or modern host hardware from the native hardwareassociated with the legacy control system and includes a more updated ormodern host OS from the native OS of the legacy control system. Anyauthentication technique can be used or combination of authenticationtechniques to authenticate the virtual device.

At 230, the legacy system encapsulation service installs the virtualdevice within host hardware of the host OS. So, now the legacy controlsystem is set to execute on more modern and updated hardware and yet itsnative hardware is encapsulated within the virtual device so that thelegacy control system believes that it is still processing on thatnative hardware. The legacy control system continues to process withinthe virtual device on its native OS, but the virtual device executes onthe host hardware.

According to an embodiment, at 231, the legacy system encapsulationservice prevents external connections that are available to the virtualdevice within the host OS so that these external connections to externalnetworks and/or external resources have to first pass through the modernand updated host OS. The virtual device is walled off within the hosthardware and the host OS.

At 240, the legacy system encapsulation service permits the legacycontrol system, via the virtual device, to access some devicesassociated with its original native hardware using legacy nativehardware device drivers that the legacy control system is configured touse.

In some cases, at 241, the legacy system encapsulation servicefacilitates connections between the host OS and the native hardware viaone or more services provided within the virtual device. For example, at242, the legacy system encapsulation service uses an interface from thevirtual device that exposes the native hardware and its devices to thehost OS and permits the host OS to access those devices of the nativehardware. This was discussed at length along with other mechanisms toachieve this above with reference to the method 100 of the FIG. 1.

At 250, the legacy system encapsulation service executes the virtualdevice within or on the host hardware.

At 260, the legacy system encapsulation service also validates inputdata gathered on the host OS for the virtual device before that inputdata is passed through from the host OS to the virtual device andultimately the legacy control system of the virtual device. Again, thiscan be used to enforce modern or enhanced security that the legacycontrol system may not have been able to address given its legacyprocessing environment.

At 270, the legacy system encapsulation service passes the validatedinput data from the host OS to the virtual device for processing by thelegacy control system within its legacy processing environment, which isencapsulated within the virtual device.

In an embodiment, at 271, the legacy system encapsulation service:gathers input data, manipulates the input data, and/or processes anumber of enhanced input data services against that validated input databefore the validated input data is passed from the host OS to thevirtual device.

According to an embodiment, at 280, the legacy system encapsulationservice processes enhancement services against output data produced bythe legacy control system on the virtual device. This is done when theoutput data is received from the virtual device in response to thevalidated input data. The enhancement services are processed within thehost OS. So, not only can input to the legacy control system be enhancedand have added security but output produced by the legacy control systemcan be enhanced. The input/output enhancements occur via servicesdeveloped and executed within a modern host OS on modern host hardware.

FIG. 3 is a diagram of a virtual device establishment system 300,according to an example embodiment. The virtual device establishmentsystem 300 is implemented in a machine-accessible and computer-readablestorage medium as instructions, which when accessed by a machineperforms, among other things, the processing depicted in the methods 100and 200 of the FIGS. 1 and 2, respective. The virtual deviceestablishment system 300 is also operational over a network; the networkmay be wired, wireless, or a combination of wired and wireless.

The virtual device establishment system 300 includes a host operatingsystem 301A and a virtual device configuration service 302. The virtualdevice establishment system 300 may also include one or moreapplications 304. Each of these components and their interactions withone another will now be discussed in turn.

The host OS 301A is implemented as instructions within acomputer-readable storage medium that processes on host hardware 301B(such as a modern computer, etc.). Example aspects of the host OS 301Aand its features were discussed in detail above with reference to themethods 100 and 200 of the FIGS. 1 and 2, respectively.

The virtual device configuration service 302 is also implemented asinstructions within a computer-readable storage medium and processes onthe host hardware 301B. Example aspects of the virtual deviceconfiguration service 302 and its features were discussed in detailabove with reference to the methods 100 and 200 of the FIGS. 1 and 2,respective.

The virtual device configuration service 302A creates a virtual image orvirtual device 303A that processes as a guest OS 303A. The virtualdevice 303A is a virtual image for a legacy control system, a legacyprocessing environment used by the legacy control system, and a legacyOS used by the legacy processing environment. The virtual image orvirtual device 303A is installed and isolated within the host hardware301B and that virtual device 303A is executed as a guest OS 303A.External access to and from the virtual device 303A is validated andcontrolled by the host OS 301A.

Furthermore, legacy hardware 303B is accessed by the legacy controlsystem by connecting the legacy hardware 303B to the host hardware 301Bso that the virtual device 303A can directly access that legacy hardware303B.

In an embodiment, a generic interface exposes the legacy hardware 303Bto the host OS 301A and thereby permits the host OS 301A to also accessthe legacy hardware 303B. Example techniques for achieving this werepresented above with reference to the methods 100 and 200 of the FIGS. 1and 2, respectively.

In an embodiment, the host OS 301A can use the generic interface to alsoauthenticate the legacy hardware 303B.

In some cases the virtual device establishment system 300 also includesan application 304.

The application 304 is implemented in a computer-readable storage mediumthat processes within the host OS 301A on the host hardware 301B. Theapplication 304 gathers and supplies input data to the virtual device303A for processing by the legacy control system. The input data isvalidated and verified for security purposes before that input data ispassed from the host OS 301A to the virtual device 303A. So, theapplication 304 can service as a form of an enhanced preprocessor forthe legacy control system.

In some cases the application 304 can also be used as an enhanced postprocessor for the legacy control system. Here, the application 304gathers and further alters output data received from the legacy controlsystem via the virtual device 303A. The output data is produced by thelegacy control system in response to the input data supplied by theapplication 304 via the host OS 301A.

FIG. 4 is a diagram of another virtual device establishment system 400,according to an example embodiment. The virtual device establishmentsystem 400 is implemented as instructions on or within amachine-accessible and computer-readable storage medium. Theinstructions when executed by a machine perform, inter alia; theprocessing depicted with respect to the methods 100, 200 of the FIGS.1-2, respectively. The virtual device establishment system 400 is alsooperational over a network and the network may be wired, wireless, or acombination of wired and wireless.

The virtual device establishment system 400 is another and in some casesenhanced perspective to virtual device establishment system 300represented by the FIG. 3, presented above.

The virtual device establishment system 400 includes a legacy hardwareconnection service 401 and a guest OS 402. Each of these will now bediscussed in turn.

The legacy hardware connection service 401 is implemented in acomputer-readable storage medium and processes on a host OS thatexecutes on host hardware. Example aspects of the legacy hardwareconnection service 401 were presented above with respect to the methods100 and 200 of the FIGS. 1 and 2, respectively.

The legacy hardware connection service 401 exposes legacy hardwareaccessed by a legacy control system to the host OS. The legacy controlsystem is encapsulated and isolated for processing within the guest OS402.

The legacy hardware connection service 401 permits the legacy controlsystem to access the legacy hardware while the legacy control systemexecutes within the guest OS 402.

The guest OS 402 is implemented in a computer-readable storage mediumand also processes on the host hardware. The guest OS 402 may also beconsidered the virtual device discussed in detail above with referenceto the FIGS. 1-3.

In an embodiment, the host OS validates and verifies for securitypurposes all input passed from the host OS to the legacy control systemvia the guest OS 402.

In another case, the host OS executes an enhancement service that altersoutput data produced by the legacy control system via the guest OS 402.

Also, in some situations, direct connections to and emanating from theguest OS 402 to external networks and/or external resources areprohibited by the host OS.

It is now appreciated how a legacy control system can be executed onmodern architectures that utilize modern OS'S and still have access tolegacy hardware. Moreover, the legacy control systems can be enhancedvia applications developed on and processed from the modern OS'S. Stillfurther modern security mechanisms can be automatically and dynamicallyintegrated into the legacy control systems via processing from themodern OS's.

External access to and from the guest OS 402 is controlled by the hostOS.

The above description is illustrative, and not restrictive. Many otherembodiments will be apparent to those of skill in the art upon reviewingthe above description. The scope of embodiments should therefore bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

The Abstract is provided to comply with 37 C.F.R. §1.72(b) and willallow the reader to quickly ascertain the nature and gist of thetechnical disclosure. It is submitted with the understanding that itwill not be used to interpret or limit the scope or meaning of theclaims.

In the foregoing description of the embodiments, various features aregrouped together in a single embodiment for the purpose of streamliningthe disclosure. This method of disclosure is not to be interpreted asreflecting that the claimed embodiments have more features than areexpressly recited in each claim. Rather, as the following claimsreflect, inventive subject matter lies in less than all features of asingle disclosed embodiment. Thus the following claims are herebyincorporated into the Description of the Embodiments, with each claimstanding on its own as a separate exemplary embodiment.

1. A machine-implemented method implemented in a non-transitorycomputer-readable storage medium for execution on a machine, comprising:interfacing, by the machine, legacy hardware accessed by a legacycontrol system associated with a legacy processing environment and afirst operating system (OS) to host hardware that processes a second OS;and initiating, by the machine, the first OS having the legacy controlsystem as a virtual image that is a guest OS on the host hardware withthe second OS designated as a host OS.
 2. The method of claim 1 furthercomprising, permitting, by the machine, the legacy control system of thevirtual image, via the guest OS, to directly access the legacy hardwareonce the guest OS is authenticated.
 3. The method of claim 1 furthercomprising, exposing, by the machine, a legacy device driver for alegacy device of the legacy hardware to the host OS as a generic devicedriver for the legacy device.
 4. The method of claim 1 furthercomprising, exposing, by the machine, an application programminginterface (API) to the legacy control system of the virtual image to thehost OS, the API providing connection access between the host OS and thelegacy hardware.
 5. The method of claim 1 further comprising,interfacing, by the machine, host OS applications to legacy applicationsof the guest OS.
 6. The method of claim 5 further comprising,validating, by the machine, input data passed from the host OSapplications to the legacy applications before permitting the input datato be passed to the guest OS.
 7. The method of claim 5 furthercomprising, modifying, by the machine, input data passed from the hostOS applications to the legacy applications before permitting themodified input data to be passed to the guest OS.
 8. The method of claim5 further comprising, validating, by the machine, output data passedfrom the legacy applications to the host OS applications beforepermitting the output data to be passed to the host OS.
 9. The method ofclaim 5 further comprising, modifying, by the machine, output datapassed from the legacy applications to the host OS applications beforepermitting the modified output data to be passed to the host OS.
 10. Amachine-implemented method implemented in a non-transitorycomputer-readable storage medium for execution on a machine, comprising:creating, by the machine, a virtual device from a legacy control systemand its native Operating System (OS); initiating, by the machine, thevirtual device within host hardware of a host OS; and permitting thelegacy control system, via the virtual device, to access native hardwarehaving native hardware interfaces from the host hardware of the host OSby using the native OS.
 11. The method of claim 10, wherein creatingfurther includes authenticating the virtual device for access on thehost OS.
 12. The method of claim 11, wherein initiating further includesestablishing a secure connection between the guest OS and the host OS.13. The method of claim 10, wherein initiating further includespreventing external network connections to the virtual device fromwithin the host OS.
 14. The method of claim 10, wherein permittingfurther includes connecting the native hardware used by the legacycontrol system to the host OS via the virtual device.
 15. The method ofclaim 10, wherein permitting further include validating input datapassed from the host OS to the legacy control system and validatingoutput data passed from the legacy control system to the host OS. 16.The method of claim 10, wherein permitting further modifying input databefore the input data is passed from the host OS to the legacy controlsystem and modifying output data before the output data is passed fromthe legacy control system to the host OS.
 17. The method of claim 16,wherein modifying further includes modifying the input data and theoutput data via enhancement applications that process in the host OS.18. A machine-implemented system, comprising: host hardware having ahost Operating System (OS) implemented in a non-transitorycomputer-readable storage medium and to process on the host hardware;and the host hardware also having a virtual device implemented in anon-transitory computer-readable storage medium and to process on thehost hardware; wherein the virtual device represents a processing imageof a legacy control system that processes within a legacy OS and thataccesses legacy hardware, and the legacy OS processed as a guest OS, andaccess to and from the virtual device is controlled by the host OS. 19.The system of claim 18, wherein the legacy hardware accessed by thelegacy control system is interfaced to the host hardware for access bythe virtual device.
 20. The system of claim 18, wherein an interfaceexposes the legacy hardware to the host OS and permits the host OS toaccess the legacy hardware.